AWS WAF (Web Application Firewall): Application-Layer Protection 🔥

Series: The Solutions Architect's Guide | Category: Security, Identity, and Compliance

Nineteenth and final post in the Security, Identity, and Compliance category, and we’re exploring AWS WAF (Web Application Firewall), the service that protects web applications from common exploits and attacks at the application layer (Layer 7), letting you control which HTTP/HTTPS requests reach your resources by defining customizable rules that block, allow, or count web requests based on conditions like IP addresses, HTTP headers, request body content, geographic location, and request rate, helping defend against SQL injection, cross-site scripting (XSS), bot attacks, and other OWASP Top 10 threats.

Let’s break it down. 👇

What It Is

• A Web Application Firewall to protect web applications from common exploits.

• Lets you control which HTTP/S requests reach your resources.

• Helps block, allow, or count web requests based on defined rules.

Key Features

1. Web ACL (Access Control List)

• The main container for WAF rules.

• Attach Web ACL to:

  • Amazon CloudFront distributions.

  • Application Load Balancers (ALB).

  • AWS App Runner services.

  • Amazon API Gateway.

  • AWS AppSync.

2. Rules and Rule Groups

• Define conditions for filtering web traffic.

• Types of rules:

  • IP match conditions (allow/block specific IPs).

  • String match (inspect headers, body, query string).

  • Geo match (block/allow by country).

  • Regex pattern sets.

  • Size constraints.

  • Rate-based rules (limit requests per IP).

• Managed Rule Groups:

  • AWS provides pre-configured rules against common threats (SQL injection, XSS).

  • AWS Marketplace sellers also offer curated rule groups.

3. Rate-Based Rules

• Automatically block IPs that exceed a configurable request threshold.

4. Bot Control

• Identify and block unwanted bots and scrapers.

• AWS-managed detection with optional CAPTCHA challenges.

5. Custom Responses

• Return custom error pages or messages when blocking traffic.

6. Logging and Metrics

• Detailed request logs sent to Amazon Kinesis Data Firehose.

• Integration with CloudWatch Metrics and Alarms.

Pricing

• Pay for:

  • Web ACLs.

  • Number of rules per ACL.

  • Number of requests processed.

Security and Compliance

• Helps meet PCI DSS, GDPR, and other compliance requirements.

• Protects against OWASP Top 10 threats.

Use Cases

• Blocking common web exploits like SQL injection and cross-site scripting.

• Limiting request rates to prevent DDoS or scraping.

• Allowing or blocking traffic from specific geographies.

• Integrating with CloudFront for global edge protection.

• Protecting APIs hosted on API Gateway or AppSync.

AWS WAF vs AWS Shield

• AWS WAF: Protects at the application layer (Layer 7) with custom rules.

• AWS Shield: Protects against DDoS attacks.

  • Shield Standard = automatic protection, free.

  • Shield Advanced = additional DDoS protection and response team access.

Exam Tips

• AWS WAF protects web apps at Layer 7.

• Attach WAF Web ACLs to CloudFront, ALB, API Gateway, App Runner, AppSync.

• Use Managed Rule Groups for easy protection.

• Rate-based rules to throttle or block abusive IPs.

• Logging via Kinesis Firehose, metrics via CloudWatch.

• Often used with AWS Shield and AWS Firewall Manager for complete protection.

Next up: Serverless services ⚡